diff options
-rw-r--r-- | Changelog | 2 | ||||
-rw-r--r-- | tests/list | 1 | ||||
-rw-r--r-- | tests/snippets/dovecot/dovecot.ecdsa.crt | 11 | ||||
-rw-r--r-- | tests/snippets/dovecot/dovecot.ecdsa.key | 5 | ||||
l--------- | tests/tls-rsa+ecdsa/interimap.remote | 1 | ||||
-rw-r--r-- | tests/tls-rsa+ecdsa/remote.conf | 5 | ||||
-rw-r--r-- | tests/tls-rsa+ecdsa/t | 49 |
7 files changed, 74 insertions, 0 deletions
@@ -9,6 +9,8 @@ interimap (0.5.3) upstream; - libinterimap: 'null-stderr' is now ignored when the 'debug' flag is set (the standard error is never sent to /dev/null). - test suite: use a RSA certificate rather than ECDSA. + - test suite: new test with a server offering both RSA+ECDSA + certificates. This test requires dovecot-imapd 2.2.31 or later. -- Guilhem Moulin <guilhem@fripost.org> Tue, 08 Dec 2020 15:58:22 +0100 @@ -51,6 +51,7 @@ split-set Split large sets to avoid extra-long command lines tls SSL/TLS handshake ... tls-verify-peer tls-pin-fingerprint pubkey fingerprint pinning + tls-rsa+ecdsa pubkey fingerprint pinning for hybrid RSA+ECDSA tls-protocols force TLS protocol versions . Live synchronization (60s) diff --git a/tests/snippets/dovecot/dovecot.ecdsa.crt b/tests/snippets/dovecot/dovecot.ecdsa.crt new file mode 100644 index 0000000..b928d4d --- /dev/null +++ b/tests/snippets/dovecot/dovecot.ecdsa.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBkjCCATmgAwIBAgIUWyEAqMhQ0uRLtagXgm68bUypQa4wCgYIKoZIzj0EAwIw +HzEdMBsGA1UEAwwUSW50ZXJJTUFQIHRlc3Qgc3VpdGUwHhcNMjAxMjA5MTQwOTUy +WhcNMzAxMjA3MTQwOTUyWjAfMR0wGwYDVQQDDBRJbnRlcklNQVAgdGVzdCBzdWl0 +ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFP7A0ivFsHK/WuCQzz+WWh2jBLO +7uqhWSMh+1cc//jmn2q910XNH3xVFNkIRo7ddg6X8twli3OvC66/YIbxiTyjUzBR +MB0GA1UdDgQWBBS/p0mJpdBjKpNrQ/t+oJMrehS7wzAfBgNVHSMEGDAWgBS/p0mJ +pdBjKpNrQ/t+oJMrehS7wzAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0cA +MEQCIFMlTb7E92tElIueK8TxbllJ3NOaMb1TMjSScM38N8oOAiAiNI4AkESnimPN +IOsdnydFYjOkDEhzpXbrBEcP3EgJuQ== +-----END CERTIFICATE----- diff --git a/tests/snippets/dovecot/dovecot.ecdsa.key b/tests/snippets/dovecot/dovecot.ecdsa.key new file mode 100644 index 0000000..dfbd4a7 --- /dev/null +++ b/tests/snippets/dovecot/dovecot.ecdsa.key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgleLchaikcJbUnkps +4ITR6FGkW2S2+S+w2ISJSsvgt0ehRANCAART+wNIrxbByv1rgkM8/llodowSzu7q +oVkjIftXHP/45p9qvddFzR98VRTZCEaO3XYOl/LcJYtzrwuuv2CG8Yk8 +-----END PRIVATE KEY----- diff --git a/tests/tls-rsa+ecdsa/interimap.remote b/tests/tls-rsa+ecdsa/interimap.remote new file mode 120000 index 0000000..daf3741 --- /dev/null +++ b/tests/tls-rsa+ecdsa/interimap.remote @@ -0,0 +1 @@ +../tls/interimap.remote
\ No newline at end of file diff --git a/tests/tls-rsa+ecdsa/remote.conf b/tests/tls-rsa+ecdsa/remote.conf new file mode 100644 index 0000000..72ca135 --- /dev/null +++ b/tests/tls-rsa+ecdsa/remote.conf @@ -0,0 +1,5 @@ +!include conf.d/imapd.conf +!include conf.d/ssl.conf + +ssl_alt_cert = <conf.d/dovecot.ecdsa.crt +ssl_alt_key = <conf.d/dovecot.ecdsa.key diff --git a/tests/tls-rsa+ecdsa/t b/tests/tls-rsa+ecdsa/t new file mode 100644 index 0000000..29352e9 --- /dev/null +++ b/tests/tls-rsa+ecdsa/t @@ -0,0 +1,49 @@ +doveconf_remote() { + doveconf -c "$HOME_remote/.dovecot/config" -hx "$1" +} +pkey_sha256() { + openssl x509 -pubkey | openssl pkey -pubin -outform DER \ + | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}" +} +x509_sha256() { + openssl x509 -noout -fingerprint -sha256 \ + | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]" +} + +PKEY_SHA256="$(doveconf_remote ssl_cert | pkey_sha256)" +X509_SHA256="$(doveconf_remote ssl_cert | x509_sha256)" +PKEY_ALT_SHA256="$(doveconf_remote ssl_alt_cert | pkey_sha256)" +X509_ALT_SHA256="$(doveconf_remote ssl_alt_cert | x509_sha256)" + +# pinned valid fingerprints +cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF + SSL_fingerprint = sha256\$$PKEY_SHA256 sha256\$$PKEY_ALT_SHA256 +EOF + +for ((i = 0; i < 32; i++)); do + u="$(shuf -n1 -e "local" "remote")" + sample_message | deliver -u "$u" +done +interimap_init +check_mailbox_status "INBOX" + +interimap --debug || error +# which peer certificate is used is up to libssl +grep -Fx -e "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" \ + -e "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" \ + <"$STDERR" || error + +# force RSA (XXX do we really have to force TLSv1.2 here?) +cat >>"$XDG_CONFIG_HOME/interimap/config" <<-EOF + SSL_protocols = TLSv1.2 + SSL_cipherlist = EECDH+AESGCM+aRSA +EOF +interimap --debug || error +grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" <"$STDERR" || error + +# force ECDSA +sed -i "s/^SSL_cipherlist\\s*=.*/SSL_cipherlist = EECDH+AESGCM+aECDSA/" "$XDG_CONFIG_HOME/interimap/config" +interimap --debug || error +grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" <"$STDERR" || error + +# vim: set filetype=sh : |